DEF analysis and creation of its shelling Software

Please do not smile.
I do not know such a place. Please give me more advice later.
I am not writing very well. please correct me.
I don't know much about shelling. Please don't ask me to shelling...

Author: niubowei

Email: advice107@sina.com

Http://nboy.cnwlt.com/

Qq: 343538175
Shelling software is a tool that can modify other programs without affecting their use. Programmers often use shell software to shell their own software to encrypt or compress their own software. Generally, the software after shelling is difficult to reverse analysis. Therefore, the shelling software came into being. From a certain point of view, it is necessary to understand the principle of shelling and shelling technology.

The following uses Def as an example to illustrate its shelling principle. At the same time, we transform Def to enable its own shelling function.

Def is a small shell software open source code, which is easy to understand and easy to learn. Its source code and programs can go to the http://protools.cjb.net to download.

First, the principle of shelling is analyzed based on its source code. The shelling process is as follows:

1. Open the shelled file as a file memory image and determine whether the PE file is valid and not a Dll file;

2. traverse all the partition tables and determine whether the partition table is an input table, a Resource Partition Table, or another Partition Table Based on the partition table name. If not, locate the partition, based on the size of this section, the content of this section is simply different or encrypted. The encryption method is as follows:

_ Encrypt:; encrypt this section

Xor byte ptr [esi], al; for exception or encryption

Inc esi; esi points to the next byte in the Section

Dec eax; determines whether it is at the end of the section and is also the variable of the next XOR operation.

Jne _ encrypt

Then, change the table name to. def to add unencrypted labels to the unencrypted table. For details, see the following figure;

3. Add the self-decryption part to the shelled file for self-decryption during the running of the shelled file. For this section, refer to the _ loader section in the source code. The self-decryption code is added to the end of the file section table, and the file entry address is changed to the offset address. The code for adding the self-decryption part is as follows:

Mov esi, offset _ loader; Initialization _ loader's offset address

Mov ecx, _ loader_size; initialize the loader Part Size

Rep movsb; copy the loader part to the end of the section table of the shelled File

In fact, it is best to judge whether there is enough space to place this code segment here

4. Disable the file memory image;

Based on the above process analysis, and then carefully study the code, I believe you can quickly understand the specific way it works. Next we will modify def so that it has the shelling function.

The manual shelling of Def is very simple. I will take the removal of Def's own shell as an example to describe its shelling process:

1. Use Trw to load Def;

2. F10 runs in one step to xxxx: 400244 push dword ptr 00401000, where 00401000 is the original Def portal address. Run the Suspend command to Suspend the process. F5 is returned to the windows interface;

3. Open Peditor, click task, select the suspended Def process, right-click dump (full), and save it as unDef;

4. Use Peditor to modify the entry address of the unDef file to 00001000. Note that the entry address is 00401000 minus 00400000.

Okay, so unDef is the Def shelling file. Now we need to modify Def to our own shelling program, that is, to process unDef.

First, the shelling program should be able to determine whether a file is shelled by Def, and use the Def judgment method to determine whether the first table name is. def. Therefore, modify:

: 00401091 813A2E646566 cmp dword ptr [edx], 6665642E;. def?

: 00401097 0F858B000000 je 00401128

Is:

: 00401091 813A2E646566 cmp dword ptr [edx], 6665642E

: 00401097 0F848B000000 jne 00401128; jumps out if the first table name is not. def

; Please note that it is better not to change it to jmp here

Now you can shell the files. Since def adopts simple XOR encryption, you do not need to modify the decryption part. An exception occurred when I tried to find a shell file. Why? Because Def does not encrypt all the partition tables, def does not process the introduced tables or Resource Partition tables. However, our unDef will decrypt all the partition tables, so of course an error will occur. Maybe you will ask, isn't there a call _ is_encryptable (I .e., 004010A7 call 004011A0) in the program used to determine whether it should be encrypted? Yes, but let's take a closer look at the _ is_encryptable function. It uses the section table name to determine the validity of the modification of the section table, and the names of all the section tables in the shelled file are changed. def. Therefore, for this function, all the section tables in the shelling file should be modified.

Is there no way for us to judge? Of course not. Take a closer look at the guiding part of the shelling file, that is, the _ loader part in the Def source code. When the program decrypts itself, cmp byte ptr [esi + 07], 00, esi points to the section header. If [edx + 07] = 0, the decryption part is skipped; otherwise, the decryption is performed. In this way, we modify the unDef decryption part. Starting from VA = 004010A7, the modification is as follows:

: 004010A7 807A0700 cmp byte ptr [edx + 07], 00; judge the partition modification flag

: 004010AB 90 nop; Ensure that the content after the file remains unchanged

: 004010AC 90 nop

: 004010AD 90 nop

: 004010AE 740F je 004010BF; skip the decryption part if the decryption fails.

By now, all the encrypted parts can be restored. But the shell file still cannot run, because we have not modified the file entry address. Let's take a look at how def modifies the entry address. You can easily write the code to restore the entry address, as shown below:

: 004010D6 50 & nbs